diff options
author | swiergot <swiergot> | 2007-09-20 17:33:04 +0200 |
---|---|---|
committer | swiergot <swiergot> | 2007-09-20 17:33:04 +0200 |
commit | 0b92839bee80fc2ba6ea67be1e48d176c0d242bc (patch) | |
tree | 6aa8f1250ffe26ffe980d5aa77205586a236dfb0 /web/lib/acctfuncs.inc | |
parent | 9ab02ad6a752e993bad3fe991a6a16a26d7cfcdd (diff) | |
download | aur-0b92839bee80fc2ba6ea67be1e48d176c0d242bc.tar.gz aur-0b92839bee80fc2ba6ea67be1e48d176c0d242bc.tar.xz |
- Applied a patch from Loui to fix session removal.
- Replaced all occurences of mysql_escape_string()
with mysql_real_escape_string().
Diffstat (limited to 'web/lib/acctfuncs.inc')
-rw-r--r-- | web/lib/acctfuncs.inc | 36 |
1 files changed, 18 insertions, 18 deletions
diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc index fe8aefbd..fa6df458 100644 --- a/web/lib/acctfuncs.inc +++ b/web/lib/acctfuncs.inc @@ -206,7 +206,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Username = '".mysql_escape_string($U)."'"; + $q.= "WHERE Username = '".mysql_real_escape_string($U)."'"; if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } @@ -224,7 +224,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Email = '".mysql_escape_string($E)."'"; + $q.= "WHERE Email = '".mysql_real_escape_string($E)."'"; if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } @@ -250,12 +250,12 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $P = md5($P); $q = "INSERT INTO Users (AccountTypeID, Suspended, Username, Email, "; $q.= "Passwd, RealName, LangPreference, IRCNick, NewPkgNotify) "; - $q.= "VALUES (1, 0, '".mysql_escape_string($U)."'"; - $q.= ", '".mysql_escape_string($E)."'"; - $q.= ", '".mysql_escape_string($P)."'"; - $q.= ", '".mysql_escape_string($R)."'"; - $q.= ", '".mysql_escape_string($L)."'"; - $q.= ", '".mysql_escape_string($I)."'"; + $q.= "VALUES (1, 0, '".mysql_real_escape_string($U)."'"; + $q.= ", '".mysql_real_escape_string($E)."'"; + $q.= ", '".mysql_real_escape_string($P)."'"; + $q.= ", '".mysql_real_escape_string($R)."'"; + $q.= ", '".mysql_real_escape_string($L)."'"; + $q.= ", '".mysql_real_escape_string($I)."'"; if ($N) { $q.= ", 1)"; } else { @@ -281,7 +281,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", #md5 hash the password $q = "UPDATE Users SET "; - $q.= "Username = '".mysql_escape_string($U)."'"; + $q.= "Username = '".mysql_real_escape_string($U)."'"; if ($T) { $q.= ", AccountTypeID = ".intval($T); } @@ -290,13 +290,13 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", } else { $q.= ", Suspended = 0"; } - $q.= ", Email = '".mysql_escape_string($E)."'"; + $q.= ", Email = '".mysql_real_escape_string($E)."'"; if ($P) { - $q.= ", Passwd = '".mysql_escape_string(md5($P))."'"; + $q.= ", Passwd = '".mysql_real_escape_string(md5($P))."'"; } - $q.= ", RealName = '".mysql_escape_string($R)."'"; - $q.= ", LangPreference = '".mysql_escape_string($L)."'"; - $q.= ", IRCNick = '".mysql_escape_string($I)."'"; + $q.= ", RealName = '".mysql_real_escape_string($R)."'"; + $q.= ", LangPreference = '".mysql_real_escape_string($L)."'"; + $q.= ", IRCNick = '".mysql_real_escape_string($I)."'"; $q.= ", NewPkgNotify = "; if ($N) { $q.= "1 "; @@ -435,19 +435,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $search_vars[] = "S"; } if ($U) { - $q.= "AND Username LIKE '%".mysql_escape_string($U)."%' "; + $q.= "AND Username LIKE '%".mysql_real_escape_string($U)."%' "; $search_vars[] = "U"; } if ($E) { - $q.= "AND Email LIKE '%".mysql_escape_string($E)."%' "; + $q.= "AND Email LIKE '%".mysql_real_escape_string($E)."%' "; $search_vars[] = "E"; } if ($R) { - $q.= "AND RealName LIKE '%".mysql_escape_string($R)."%' "; + $q.= "AND RealName LIKE '%".mysql_real_escape_string($R)."%' "; $search_vars[] = "R"; } if ($I) { - $q.= "AND IRCNick LIKE '%".mysql_escape_string($I)."%' "; + $q.= "AND IRCNick LIKE '%".mysql_real_escape_string($I)."%' "; $search_vars[] = "I"; } switch ($SB) { |